One of the ways in which the number of organizations trusted to issue for the WebPKI is extended is by an existing CA bestowing the power of issuance upon a third party in the form of control of a non-technically-constrained subCA. Examples of such are the Google and Apple subCAs under GeoTrust, but there are others.
Adding new organizations to the list of those trusted is a big deal, and currently Mozilla has little pre-insight into and not much control over this process. CAs may choose to do this for whoever they like, the CA then bears primary responsibility for managing that customer, and as long as they are able to file clean audits, things proceed as normal. Mozilla is considering a policy change whereby we require private pre-notification of such delegations (or renewals of such delegations). We would not undertake to necessarily do anything with such notifications, but lack of action should not be considered permissive in an estoppel sense. We would reserve the right to object either pre- or post-issuance of the intermediate. (Once the intermediate is issued, of course, the CA has seven days to put it in CCADB, and then the relationship would probably become known unless the fields in the cert were misleading.) This may not be where we finally want to get to in terms of regulating such delegations of trust, but it is a small step which brings a bit more transparency while acknowledging the limited capacity of our team for additional tasks. Comments are welcome. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy